Options in Data-Loss Prevention

This article appears in the November 2012 issue of HealthLeaders magazine.

Securing the healthcare enterprise is a many-layered endeavor. Electronic locks on doors keep out intruders and help track who is coming and going. Network access control technology acts as the locks on the computer networks behind the doors. Firewalls and anti-malware technology keeps at bay the vandalism of the wild public Internet. But like some 1960s spy movie, one of the biggest threats comes from the ordinary comings and goings of authorized personnel, and the information they carry.

To address this risk, healthcare leaders turn to a layer known as data-loss prevention, or DLP.

"For what it's doing for our organization, the cost of DLP is really minimal, as compared to the benefits," says Shane Molacek, CIO of Valley County Health System, which operates a 16-bed critical access hospital located in the north central town of Ord, Neb., some 180 miles from Lincoln.

Molacek uses technology that scans each email being sent from Valley County for protected health information, which under HIPAA must be protected from unauthorized disclosure.

"IT's job is to make sure that the doors stay open and that we don't have either breaches in content or information that shouldn't be getting out of here," Molacek says.

When Molacek arrived at Valley County about three years ago, it was building a $27 million facility to replace a critical access hospital built in the 1970s. DLP was on a list of to-dos that started with implementing a disaster recovery strategy. "The fact that we hadn't suffered any kind of PHI loss or any HIPAA breach to any level really was caused more by dumb luck than by anything we had put in place," he says.